ClassCreator.com | Blockbuster sites, amazing reunions

Share Tips

New Topic Subscription Options  

Site "Not Secure"

Forums: General Discussion
Created on: 10/01/19 02:42 PM Views: 393 Replies: 15
Tuesday, October 1, 2019 at 2:42 PM

Website security certificates. When I get to my two sites (CHSAA or Crestwoodstock sites), if you look up in the URL area, it says “not secure” before the URL location. If people see that “not secure” is part of the URL, that may wave them away from the site.

I have read, that a security certificate is When you go to a site that uses HTTPS (connection security), the website's server uses a certificate to prove the website's identity to browsers, like Chrome.

------------------------------------------------------
How do I make my class creator sites secure for transactions and is there a cost to install a security certificate?

Reply
Tuesday, October 1, 2019 at 7:40 PM - Response #1

Google has updated their browser (and subsequently, major browsers have followed), to alert users whenever they are on any page of any site that is not secured by a security certificate. Your site is currently secured on all pages that were previously necessary such as cart check out pages of the Event Planner as well as your Login pages. Rest assured that your site is safe and secure. However, we are still looking into a solution for admins to acquire a security certificate for their sites so that all pages reflect a secure status. We are working with our team to solve the logistics of this task. We will inform all of our administrators as soon as we have a solution that will work for our unique site scenario.


Reply
Saturday, October 12, 2019 at 6:22 PM - Response #2

I too have the same concern about security. Two Items
1. When I go to our main page AND AM LOGGED IN, it shows "Not Secure" on Chrome unlike what your prior answer indicated. Am I reading this wrong, or doing something incorrectly.
2. Should I be using FF instead of Chrome? Tried FF and it also says not secure while I am logged in.
3. Also, this may be affecting it. I'm trying to use password saver software...it's driving me crazy as I often use the same PW on different sites (I know it's not a good idea). I've tried DashLane and just deleted it..driving me crazy, now trying Sticky Password.

4. Not your problem most likely, but while I use Malwarebytes 24/7 I just got two ransomeware letters - ( i know these are emails, not direct/locking attacks and they are badly written gross, untrue, and several weeks old, found in my junk mail...and have NOT responded...but security is getting a bit higher priority in my life now. Please advise. Thanks

Reply
Friday, November 15, 2019 at 4:49 PM - Response #3

Thanks, Scott...

Everybody is becoming more aware of security holes these days and that 'Not Secure' heading on the URL is spooking more than a few of our classmates.

Telling them to 'ignore it' because our site is actually very safe sounds a lot like 'whistling in the dark'

Be looking forward to a solution.

Reply
Friday, November 15, 2019 at 5:20 PM - Response #4

Forgot to mention, when I told (per your comment) one of our classmates that the pages where any secure information is required...such as the Log In page, "you will see that there is a secure icon (padlock, etc.)." He went away, grumbling...

So then he called me back 10 minutes later and said the 'Edit Profiles' page (where he loads pictures) was not secure. He's evidently right as I see no security icon.

The 'Edit Contact Info' page is secure, but because we're uploading pictures into the server (I presume) on the 'Edit Profile' page, does that then become a possible entry point for bad guys?

Reply
Friday, November 15, 2019 at 10:08 PM - Response #5

I'm not a security expert, but these are my thoughts:

There is a level of security built in to the Edit Profile page, in that a classmate must be logged in before he/she can view or edit that page. So, the Edit Profile page can only "become a possible entry point for bad guys," if the bad guys are logged in.

All the pages in the Member Functions section (Notify Me, Edit Contact Info, Edit Profile, Change Password, Log out) are viewable for editing only after one is logged in.

Reply
Edited 11/15/19 10:13 PM
Friday, November 15, 2019 at 10:31 PM - Response #6

I may be incorrect here, but pretty sure this will work to solve the "not secure" concern. In some ways it is similar to how the login, payment link name changes to https.

So here's my concept that is an easy way to do this (get sites secure with https), but it requires some changes by CC and a new Option for users (admins of a site, not classmates) since they "might" have to make a few changes. [I do here and there, but it's not too hard.]

Our sites with a domain name get directed to the actual name used by CC.

For example
http://www.bothellhigh61.com
is actually
https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961/

So if you click either link, you end up at exactly the same place. The Difference is that the first is "not secure" and the second one IS secure.

Now if you click any of the left hand links CC has generated bothellhigh61.com links but that doesn't have to be that way at all.

To illustrate see this example of links Bothell Weather [Note: I just modified this page to show how it works if CC did this by making the page itself convert to the Secure version of the page. It's not an important page in case there's something I forgot - that a browser setting might complain about]

Clicking from either page link generates
http://www.bothellhigh61.com/Bothell-Weather.htm .. modified so it automatically goes to the next link
but actually this next link is exactly the same thing
https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961/Bothell-Weather.htm

Now there is one problem and the home pages shows that. The https change affects the way default links are done by your browser and catches where you mixed secure and not secure references.

I hardcoded an iframe reference (in a script) using bothellhigh61.com and that violates "mixed content rule" for https - a security violation. Hence the scrolling classmate script does not run and is just a gray rectangle. On the bothellhigh61.com link it shows. This is very easy for me to fix. I just left it to show what happens. Similar issues occur for scripts.

So that's why it has to be an "option" to use the https name vs your domain name.

However, it solves the "not secure" issue described.

If you click some of the inner links, like Reunion Committee you can see that it stays "secure".

Should be very easy to CC to implement since if you stop paying for a site, that's actually what happens anyway Cool

[I forgot to post this some time ago and this post reminded me.]

Reply
Edited 11/17/19 2:34 PM
Saturday, November 16, 2019 at 12:04 PM - Response #7

Both Scott and Jack's posts are very helpful.

Scott you're right, and the 'black hats' have to get past the Log In to theoretically do very much. Perhaps not much of a hurdle, but it's there.

The crux of the problem is that (often RED) 'Not secure' notice that Google now puts in front of the URL. Heck it even makes me a little uneasy. My classmates with very little understanding of security tend to freak out.

I'm afraid explaining the nuance of your analysis, Scott, will not be enough...

Jack's points are impressive, your skills are way above mine Jack, in even figuring all this out.

But that's a problem as well, most of my classmates at 73 years of age are way past a somewhat technical solution that they would have to implement. They'd just stop coming to the site.

There must be a better way to keep our sites user friendly and secure; and without Google's non helpful 'Not secure' (in RED) notice.

But Class Creator is going to have to figure that out before we begin losing large amounts of classmates from all of our sites.

Reply
Saturday, November 16, 2019 at 1:38 PM - Response #8

This change will be completely transparent to Classmates - just the secure lock will appear vs not secure. I'm assuming that Classmates means the members of a class. They just click on exactly the same link they did before. No action required by them. CC does all the changes in the "background" so to speak. [Just like CC does now for Login, Payment, Editing, Manage Classmates etc. In fact, that is so transparent I bet many admins never noticed - those are the "users" I referred to not classmates]

The only thing CC does is 1) switch the "landing" page to the https version AND 2) change all the link names to the https version. They could do the second step and probably leave the first page alone. However, then the first page would still show not secure.

Most sites will be surprisingly adaptable. The reason is that when you use the Editor and Preview a Page, that is already what happens - it switches to your actual CC website address. Have not seen any complaints that a preview did not show correctly. Not a guarantee, but also tends to make me think it won't be a big problem.

To see this, select Edit Site Pages. Now pick a page and Click Preview. Notice that the upper link in browser is now Secure. Exact same page.

IOW, if you can see your pages in Preview, your site is good to go.

Mine has some very custom code. Most sites just use the default tools. The main thing that some sites need to "fix" is that they might have hardcoded links to their pages inside of other pages. They need to fix those links since they would still "work" but revert to the not secure version.

However, that is why it would be an Option in preferences. If somehow there was an issue, revert back if one did not understand how to fix. They could always ask here how to fix though. Almost all can be fixed if the referenced resource has an https version.

Reply
Edited 11/16/19 1:51 PM
Saturday, November 16, 2019 at 1:56 PM - Response #9

I forgot to mention that Step 2 code is already there in CC. It's what you get when you get a "free" site (or revert back to one). So the only change is actually Step 1.

Sites that Pay code would have the Option code added in Preferences (or?) and code to check option of course Very Happy

Reply
Sunday, November 17, 2019 at 8:28 PM - Response #10

Made a script so anyone can easily make any page "secured" but image links might need to be modified depending on how you did them. If CC changes, it will still work since it checks site http status.

EDIT: removed content because cookie gets removed so it did not work as intended. I was logged into https in one tab and testing in another tab using our actual Domain name. So I had two cookies active that made it all work.

Funny thing is that if you do NOT have a domain name it all works great. See THIS PAGE for how that works. That is a 100% secure ClassCreator site using https.

Reply
Edited 02/13/20 9:10 PM
Monday, December 23, 2019 at 10:39 AM - Response #11

Scott
any update on a solution for security certificates?

Thanks - Patrick

Reply
Thursday, February 13, 2020 at 7:08 PM - Response #12

Also to Scott: Here's "second" to the question about "any update on a solution for security certificates?"

Cheers, Allen.

Reply
Friday, February 14, 2020 at 11:24 AM - Response #13

“To see this, select Edit Site Pages. Now pick a page and Click Preview. Notice that the upper link in browser is now Secure. Exact same page.

IOW, if you can see your pages in Preview, your site is good to go.”

Jack, in Preview, everything on our website is Secure in Preview, Does this mean our site is Secure? Or does this mean CC should have an easy fix?
Thank you, Jack, for taking time to educate us!

Reply
Edited 02/14/20 11:28 AM
Friday, February 14, 2020 at 1:13 PM - Response #14

Thanks. I also got educated in reviewing the details. Especially with the script that worked perfectly, except that I did not realize I had two cookies (one for the Domain and one for classcreator https) active. With the newer restrictions coming, this issue is becoming urgent vs just something that will not affect our sites.

CC should have a relatively "easy fix". Right now when you use your Domain name to login, CC changes to the secure CC URL and then after you finish, it changes back to your Domain name. Which of course is not secure.

Sites that do NOT have a domain name get the default raw CC URL which is easily made https, even without CC doing anything, by the little script I wrote. If I started today, I would never get a Domain name Wink There are other ways but involved shelling out a few $$$ with another ISP.

The edit "Preview" is just to show that all your pages show as "secure".

What is interesting is that most pages that are not content related are now https. So that was a step towards security. They did forget a few Smile The login one being the most serious forgotten one.

Reply
Friday, February 14, 2020 at 4:00 PM - Response #15

“With the newer restrictions coming, this issue is becoming urgent vs just something that will not affect our sites.”

CC- Because this is urgent, CC plesse advise your solution to make my class website Secure. As an administrator, my clsssmates depend on me to provide them with an easy to access website.
Is anyone from tech support reading these comments?

Reply
Edited 02/14/20 4:04 PM
New Topic  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.